Snort mailing list archives

Understanding byte_test

From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 6 Oct 2011 13:41:34 -0600
So...I saw this today..here's the rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
AVI DirectShow quicktime parsing overflow attempt ";
flow:to_client,established; content:"moov"; content:"vide"; distance:0;
content:"stsd"; distance:0; fast_pattern;
byte_test:1,>,31,58,relative,big; metadata:policy balanced-ips alert,
policy security-ips alert, service http; reference:bugtraq,35139;
reference:cve,2009-1537;
reference:url,www.microsoft.com/technet/security/advisory/971778.mspx;
reference:url,www.microsoft.com/technet/security/bulletin/MS09-028.mspx;
classtype:attempted-user; sid:15517; rev:6;)



If I'm understanding byte_test correctly, this says "test one byte, make
sure it's greater than decimal 31 and start processing 58 bytes into the
payload, but because our last match was stsd, start at packet 2c5".
This then matches byte 2d0, since it's A0 yes?  Or am I reading this way
wrong?  Thanks for any understanding you can shed.

James




WEB-CLIENT AVI DirectShow quicktime parsing overflow attempt
209.161.5.216 -> bleh
IPVer=4 hlen=5 tos=0 dlen=1440 ID=55752 flags=2 offset=0 ttl=60
chksum=32241
Protocol: 6 sport=80 -> dport=2915

Seq=2936503472 Ack=150666001 Off=5 Res=0 Flags=***A**** Win=6432
urp=63069 chksum=0
Payload:
000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200 OK.
010 : 0A 44 61 74 65 3A 20 54 68 75 2C 20 30 36 20 4F   .Date: Thu, 06 O
020 : 63 74 20 32 30 31 31 20 31 39 3A 30 37 3A 34 35   ct 2011 19:07:45
030 : 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70    GMT..Server: Ap
040 : 61 63 68 65 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66   ache..Last-Modif
050 : 69 65 64 3A 20 46 72 69 2C 20 33 30 20 53 65 70   ied: Fri, 30 Sep
060 : 20 32 30 31 31 20 31 39 3A 32 34 3A 35 39 20 47    2011 19:24:59 G
070 : 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 6E 67 65   MT..Accept-Range
080 : 73 3A 20 62 79 74 65 73 0D 0A 43 6F 6E 74 65 6E   s: bytes..Conten
090 : 74 2D 4C 65 6E 67 74 68 3A 20 31 37 38 36 35 34   t-Length: 178654
0a0 : 30 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74   0..Keep-Alive: t
0b0 : 69 6D 65 6F 75 74 3D 35 2C 20 6D 61 78 3D 31 30   imeout=5, max=10
0c0 : 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B   0..Connection: K
0d0 : 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 65   eep-Alive..Conte
0e0 : 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70 6C   nt-Type: text/pl
0f0 : 61 69 6E 0D 0A 0D 0A 00 00 00 20 66 74 79 70 4D   ain....... ftypM
100 : 34 56 50 00 00 00 01 4D 34 56 50 4D 34 41 20 6D   4VP....M4VPM4A m
110 : 70 34 32 69 73 6F 6D 00 00 15 63 6D 6F 6F 76 00   p42isom...cmoov.
120 : 00 00 6C 6D 76 68 64 00 00 00 00 CA AB C3 E3 CA   ..lmvhd.........
130 : AB C3 E3 00 00 02 58 00 00 28 96 00 01 00 00 01   ......X..(......
140 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00   ................
150 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00   ................
160 : 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00   ...........@....
170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
180 : 00 00 00 00 00 00 00 00 00 00 03 00 00 0E BE 74   ...............t
190 : 72 61 6B 00 00 00 5C 74 6B 68 64 00 00 00 01 CA   rak...\tkhd.....
1a0 : AB C3 CB CA AB C3 E3 00 00 00 01 00 00 00 00 00   ................
1b0 : 00 28 96 00 00 00 00 00 00 00 00 00 00 00 00 00   .(..............
1c0 : 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00   ................
1d0 : 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00   ................
1e0 : 00 00 00 40 00 00 00 01 E0 00 00 01 10 00 00 00   ...@............
1f0 : 00 00 24 65 64 74 73 00 00 00 1C 65 6C 73 74 00   ..$edts....elst.
200 : 00 00 00 00 00 00 01 00 00 28 96 00 00 00 00 00   .........(......
210 : 01 00 00 00 00 0E 36 6D 64 69 61 00 00 00 20 6D   ......6mdia... m
220 : 64 68 64 00 00 00 00 CA AB C3 E3 CA AB C3 E3 00   dhd.............
230 : 00 0B B5 00 00 CA BC 15 C7 00 00 00 00 00 3A 68   ..............:h
240 : 64 6C 72 00 00 00 00 00 00 00 00 76 69 64 65 00   dlr........vide.
250 : 00 00 00 00 00 00 00 00 00 00 00 41 70 70 6C 65   ...........Apple
260 : 20 56 69 64 65 6F 20 4D 65 64 69 61 20 48 61 6E    Video Media Han
270 : 64 6C 65 72 00 00 00 0D D4 6D 69 6E 66 00 00 00   dler.....minf...
280 : 14 76 6D 68 64 00 00 00 01 00 00 00 00 00 00 00   .vmhd...........
290 : 00 00 00 00 24 64 69 6E 66 00 00 00 1C 64 72 65   ....$dinf....dre
2a0 : 66 00 00 00 00 00 00 00 01 00 00 00 0C 75 72 6C   f............url
2b0 : 20 00 00 00 01 00 00 0D 94 73 74 62 6C 00 00 00    ........stbl...
2c0 : B0 73 74 73 64 00 00 00 00 00 00 00 01 00 00 00   .stsd...........
2d0 : A0 61 76 63 31 00 00 00 00 00 00 00 01 00 00 00   .avc1...........
2e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 01 E0 01   ................
2f0 : 10 00 48 00 00 00 48 00 00 00 00 00 00 00 01 00   ..H...H.........
300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
310 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
320 : 18 FF FF 00 00 00 2E 61 76 63 43 01 42 E0 15 FF   .......avcC.B...
330 : 01 00 17 27 42 E0 15 A9 18 3C 11 D8 03 50 60 10   ...'B....<...P`.
340 : 6B 6D E8 03 D2 03 D5 7B DF 01 01 00 04 28 DE 09   km.....{.....(..
350 : 88 00 00 00 1C 75 75 69 64 6B 68 40 F2 5F 24 4F   .....uuidkh@._$O
360 : C5 BA 39 A5 1B CF 03 23 F3 00 00 00 01 00 00 00   ..9....#........
370 : 18 73 74 74 73 00 00 00 00 00 00 00 01 00 00 02   .stts...........
380 : 07 00 00 00 64 00 00 00 24 73 74 73 73 00 00 00   ....d...$stss...
390 : 00 00 00 00 05 00 00 00 01 00 00 00 79 00 00 00   ............y...
3a0 : F1 00 00 01 69 00 00 01 E1 00 00 03 4C 73 74 73   ....i.......Lsts
3b0 : 63 00 00 00 00 00 00 00 45 00 00 00 01 00 00 00   c.......E.......
3c0 : 09 00 00 00 01 00 00 00 02 00 00 00 06 00 00 00   ................
3d0 : 01 00 00 00 03 00 00 00 09 00 00 00 01 00 00 00   ................
3e0 : 04 00 00 00 06 00 00 00 01 00 00 00 05 00 00 00   ................
3f0 : 09 00 00 00 01 00 00 00 06 00 00 00 06 00 00 00   ................
400 : 01 00 00 00 07 00 00 00 09 00 00 00 01 00 00 00   ................
410 : 08 00 00 00 06 00 00 00 01 00 00 00 09 00 00 00   ................
420 : 09 00 00 00 01 00 00 00 0A 00 00 00 06 00 00 00   ................
430 : 01 00 00 00 0B 00 00 00 09 00 00 00 01 00 00 00   ................
440 : 0C 00 00 00 06 00 00 00 01 00 00 00 0D 00 00 00   ................
450 : 09 00 00 00 01 00 00 00 0E 00 00 00 06 00 00 00   ................
460 : 01 00 00 00 0F 00 00 00 09 00 00 00 01 00 00 00   ................
470 : 10 00 00 00 06 00 00 00 01 00 00 00 11 00 00 00   ................
480 : 09 00 00 00 01 00 00 00 12 00 00 00 06 00 00 00   ................
490 : 01 00 00 00 13 00 00 00 09 00 00 00 01 00 00 00   ................
4a0 : 14 00 00 00 06 00 00 00 01 00 00 00 15 00 00 00   ................
4b0 : 09 00 00 00 01 00 00 00 16 00 00 00 06 00 00 00   ................
4c0 : 01 00 00 00 17 00 00 00 09 00 00 00 01 00 00 00   ................
4d0 : 18 00 00 00 06 00 00 00 01 00 00 00 19 00 00 00   ................
4e0 : 09 00 00 00 01 00 00 00 1A 00 00 00 06 00 00 00   ................
4f0 : 01 00 00 00 1B 00 00 00 09 00 00 00 01 00 00 00   ................
500 : 1C 00 00 00 06 00 00 00 01 00 00 00 1D 00 00 00   ................
510 : 09 00 00 00 01 00 00 00 1E 00 00 00 06 00 00 00   ................
520 : 01 00 00 00 1F 00 00 00 09 00 00 00 01 00 00 00   ................
530 : 20 00 00 00 06 00 00 00 01 00 00 00 21 00 00 00    ...........!...
540 : 09 00 00 00 01 00 00 00 22 00 00 00 06 00 00 00   ........".......
550 : 01 00 00 00 23 00 00 00 09 00 00 00 01 00 00 00   ....#...........
560 : 24 00 00 00 06 00 00 00 01 00 00 00 25 00 00 00   $...........%...
570 : 09 00 00 00 01 00 00 00                           ........

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Understanding byte_test Lay, James (Oct 06)
- Re: Understanding byte_test rmkml (Oct 06)